[
https://issues.apache.org/jira/browse/WW-5536?focusedWorklogId=1002172&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1002172
]
ASF GitHub Bot logged work on WW-5536:
--------------------------------------
Author: ASF GitHub Bot
Created on: 28/Jan/26 07:59
Start Date: 28/Jan/26 07:59
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #1405:
URL: https://github.com/apache/struts/pull/1405#discussion_r2735325837
##########
core/src/test/java/org/apache/struts2/ognl/OgnlUtilTest.java:
##########
@@ -1647,21 +1646,46 @@ public void testOgnlDefaultCacheFactoryCoverage() {
assertEquals("Eviction limit for cache mismatches limit for factory
?", 15, ognlCache.getEvictionLimit());
}
- public void testCustomOgnlMapBlocked() throws Exception {
- String vulnerableExpr =
"#@org.apache.struts2.ognl.MyCustomMap@{}.get(\"ye\")";
- assertEquals("System compromised", ognlUtil.getValue(vulnerableExpr,
ognlUtil.createDefaultContext(null), null));
+ public void testAllowCustomOgnlMap() throws Exception {
+ String vulnerableExpr = "#@org.test.MyCustomMap@{}.get(\"ye\")";
+ Object result = ognlUtil.getValue(vulnerableExpr,
ognlUtil.createDefaultContext(null), null);
+ assertNull("System compromised", result);
Review Comment:
I updated the test and added a few other as this was combination of some
more factors (like short circuit in OGNL in case if root is null)
Issue Time Tracking
-------------------
Worklog Id: (was: 1002172)
Time Spent: 3h 20m (was: 3h 10m)
> Bump ognl:ognl from 3.3.5 to 3.4.8
> ----------------------------------
>
> Key: WW-5536
> URL: https://issues.apache.org/jira/browse/WW-5536
> Project: Struts 2
> Issue Type: Dependency
> Components: Core
> Affects Versions: 6.7.0, 7.0.0
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
